Practical VPC Network Planning on the Cloud

What is VPC

Virtual Private Cloud (VPC) is a private network on the cloud provided by Alibaba Cloud, which provides users with an independent and controllable network environment. Users can define the IP address range of VPC, configure routing tables and gateways, etc., and use Alibaba Cloud resources in VPC, such as ECS, RDS, and SLB.

VPC consists of at least one private network segment, one router, and at least one switch. The router (vRouter) is the core component of VPC, connecting the switches in the VPC and serving as a gateway device connecting the VPC and other networks. After each VPC is successfully created, the system automatically creates a router and associates at least one routing table. The routing table can manually add routing entries for the entire VPC and choose whether to publish it to the Cloud Enterprise Network to achieve interoperability across VPCs.

A switch (vSwitch) is a basic network device of a VPC, used to connect different cloud resources. After creating a VPC, users can create switches to divide the VPC subnets. Different switches in the same VPC can communicate with each other intranet. By creating switches in different availability zones and deploying applications, you can improve the availability of applications.

Key points for selecting a private network segment

When creating a VPC and switch, users need to specify the private network segment used by the VPC, which is divided in the form of CIDR address blocks. Alibaba Cloud provides multiple available private network segments for selection, such as 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8. Users can also customize address segments, except for some reserved address segments, which can be divided according to actual needs.

In a VPC, two types of network segments need to be planned. A private network segment is equivalent to a regional LAN, which is used to carry internally planned switches. A switch segment is a subset of a VPC and is a zone-level resource used to carry various cloud product services. For example, if a 10.10.0.0/16 VPC is created in Shanghai, switches belonging to the 10.10.0.0/16 subset can be created under the VPC, such as 10.10.0.0/17 to 10.10.0.0/29.

Enterprise VPC Network Planning Practice

In an enterprise, network planning can be performed based on the needs of departments and environments. For example, suppose there are three departments, A, B, and C, and each department has a test and production environment:

• Department A test environment: 10.10.0.0/16
• Department A production environment: 10.11.0.0/16
• Department B test environment: 10.12.0.0/16
• Department B production environment: 10.13.0.0/16
• C department test environment: 10.14.0.0/16
• Department C production environment: 10.15.0.0/16

How to divide network segments for different projects under VPC

Taking Department A as an example, suppose there are two projects: customer promotion and customer relations. In order to achieve high availability and service area coverage, multiple network segments can be created for each project.

A network segment with a 24-bit mask is created for each project, which can accommodate 253 hosts and meet the needs of most scenarios.

1. Subnet division: By adjusting the number of bits in the subnet mask, a large network segment can be divided into multiple smaller subnets. The number of bits in the subnet mask determines the number of available IP addresses in the subnet. Smaller subnets can be used for different departments, projects or purposes to achieve resource isolation and management.
2. Intercommunication between subnets: Different subnets in the same VPC can communicate with each other by default because they belong to the same private network. In this way, you can deploy applications in different subnets and communicate through the internal network.

The following is a common division method:

Create four availability zones for the customer promotion project, and their network segments all belong to 10.10.0.0/24.

Customer Relations Department:

Create four availability zones for the customer relationship project, and their network segments all belong to 10.10.1.0/24.

In this way, the specification requirements and high availability requirements of different projects can be met.

Summarize

In the above practice, we divided multiple network segments and used multiple availability zones. Let's summarize the advantages of doing so.

1. Resource isolation and security: By dividing the VPC into multiple subnets, resources for different departments, projects, or purposes can be isolated. Each subnet can have its own security group and network access control list (Network ACL), thereby achieving more refined access control and security policies. This can prevent resources between different subnets from interfering with each other and improve network security.
2. Network performance and availability: Subnet division can deploy resources in different subnets according to business needs. By creating subnets in different availability zones, you can achieve multi-regional deployment and redundancy of resources, improve application availability and disaster recovery capabilities. At the same time, Alibaba Cloud will automatically provide high-performance intranet interconnection for different subnets, accelerate data transmission and reduce latency.
3. IP address management: Subnet division allows you to manage IP addresses more efficiently. Each subnet has its own IP address range, and you can allocate enough IP addresses to each subnet as needed. In addition, you can also divide the subnet into smaller IP address segments for different purposes or different scales of resources, thereby improving the utilization of IP addresses.
4. Flexible network architecture: Subnet division provides you with flexible network architecture design. You can create subnets of different sizes and purposes according to business needs to meet the needs of different departments or projects. For example, you can create different subnets for test environments and production environments to achieve isolation and management. At the same time, the intranet interconnection between subnets can be customized through routing tables and Cloud Enterprise Networks between VPCs to meet complex network connection requirements.